A quick poll: Which recent disaster was the worst: (A) Hurricane Harvey; (B) Hurricane Irma; (C) the Equifax data breach?
Equifax said its systems were breached starting in mid-May until it discovered the hack on July 29. It informed the public on September 7.
The United States is home to about 240 million adults. Equifax provided enough personal details to make 143 million of them vulnerable to identity theft. Add all the other remaining big breaches, account for overlap, carry the one, and you end up with, in round numbers, everyone.
The bad guys have something in common with the Social Security Administration: They both know your social security number.
It’s long past time to fix this mess. And since nobody is stepping up to the plate, it’s time for a modest proposal from the Keep the Joint Running Think Tank, otherwise known as yours truly with a bottle of beer in his hand and a keyboard in front of him.
Okay, “fix” might be going too far, but there are some steps we could take that, if not simple, would at least be straightforward. Share them with your senators and congressperson. Starting with the most obvious and working our way down through the list of nearly-as-obvious:
> SSN 2.0: The Social Security Administration should issue each of us a brand-spanking-new social security number that nobody other than it and you know about. Except, that is …
> Business access to SSN 2.0: Some businesses do have a specific need for some individuals’ social security numbers. SSN 2.0 redefines business use of social security numbers. As of now it’s a right. Under SSN 2.0 it becomes a privilege — soliciting and storing an individual’s social security number will be illegal, except for businesses that have a demonstrable need. Any other company caught storing social security numbers in any company database will be immediately liquidated.
> SSN 2.0 certification: In order to be awarded the right to store social security numbers, applicants must prove compliance with the agency’s data protection requirements. Chief among these:
– Universal encryption of every bit of stored data. No, not just personally identifiable information (PII). Everything. That eliminates the possibility of the “Oops — we missed that one! Sorry …” factor. Too expensive? Don’t be ridiculous. Compare this expense to the cost of fixing the massive level of identity theft we’re in for.
Oh, by the way … does anyone reading this think the data Equifax lost was encrypted? Me neither. Which leads to this question: What? And this one: Seriously?
– AI-based intrusion detection: Companies that encrypt all their data can still be breached, and decryption keys can be stolen — through social engineering techniques if not hacking.
Even with stolen decryption keys a breach isn’t that big a deal. An undetected breach is a big deal. The use of AI techniques to detect intrusions is in play right now. There’s simply no valid reason other than bad budget priorities for failing to detect and address a breach for a month or more.
– The fundamentals: Keeping current with patches, rotating encryption keys, role-based identity management applied to all employee transitions, white-hat hacking … you know, not even best practices, as if there was such a thing. Just the minimum standards of basic professionalism.
– Keep the PR department out of it: I don’t care if the breach makes the company look bad. The company’s image really isn’t the issue.
> FBMA: For hurricanes, tornadoes, floods, and earthquakes we have FEMA. For massive data breaches we have bupkis. It’s time to create the Federal Breach Management Administration. FEMA in Houston has, I think, demonstrated the validity of federal government intervention in disasters of a certain size and scope. This is just as logical in the virtual world as the physical one.
I know many of KJR’s subscribers have a libertarian bent, and don’t think the Federal government has any business regulating or involving itself in the financial transactions between two parties.
After all, immediately after reporting the breach (which is to say about four months after the breach itself), Equifax offered everyone affected a free identity theft monitoring service.
Because of course I’m going to trust the company that lost my data to let me know my data has been stolen.
And oh, by the way, as reported by The Denver Post’s Tamara Chuang, (“Clearing up confusion on the Equifax data breach, no thanks to Equifax,” 9/8/2017) those foolish enough to sign up inadvertently gave up their right to sue.
Just an opinion here: One important role for government is evening out a hopelessly asymmetrical balance of power.
Like, for example, the imbalance between Equifax’s power to collect data about you and your power to avoid doing business with it.
NY AG Schneiderman has informed Equifax that they may not require arbitration for any suits regarding this breach.
Bob, I agree with pretty much everything you said here. I will point out, in a minuscule amount of defense for Equifax, that they announced today they were withdrawing the requirement that you give up your right to sue in order to sign up for their theft monitoring service.
This goes well beyond a disaster. Except for those unfortunate people who lost their lives, the mess in Texas and Florida will get cleaned up, homes will be repaired, cars will be replaced, and life will go on. For those impacted by this particular data breach, however, the damage lasts for the rest of our lives (or perhaps even further). Some day down the road, when we’ve forgotten about this incident, someone will use forged credentials to, for example, empty our bank accounts, impersonate us in the commission of a crime, or infiltrate our office network. The opportunities are endless and new ones are created every day. The CEO of Equifax should be sentenced to one minute in prison for every one of those exfiltrated records. And that’s a light sentence, since most of us will, eventually, end up spending untold hours trying to undo whatever damage to our lives is enabled by the Equifax data.
I like SSN2.0, but it will never happen, because there are numerous factions who believe they would benefit, if only the new number complied with their design, e.g., permanent medical identifier (but then we’d need numbers for every carbon unit…) or everyone gets an IPV6 address or [fill in your fantasy]. Whatever numbering scheme that emerges would promptly be subjected to the same idiocy as the current SSN. (Been to the doctor lately; they not only want your SSN, they want to photocopy your driver’s license, too.)
Mandatory prison time for the CEO, CFO, CIO, CTO, CISO and the Board of Directors is a reasonable deterrent (but barely adequate; I just happen to oppose capital punishment, although I might be persuaded to change that position in this case.)
Bravo! Not being able to quickly get new SSN’s is unacceptable. But, it doesn’t make sense to make changes until the GRU’s involvement in our last election has been fully investigated and understood. I believe the mix of foreign military and foreign criminal activities of the last 2 years in the US has to be fully understood and rooted out. Otherwise, our financial infrastructure could be severely damaged, at the worst possible time.
This is not the time to change the subject.
I can remember, many long years ago, when your Social Security card said at the bottom, “Not to be used for identification purposes.” (https://www.ssa.gov/history/hfaq.html, Q21) And yet, our SSN has become our nation’s universal ID system.
So, since it has, something like your proposal is long overdue. I wonder, though, about making the effort around the identification end of the process. Perhaps we could also beef up the other end: using the SSN to obtain credit? After all, if it were much more difficult to use the SSN to open new accounts, stealing them might become less attractive.
And lastly – perhaps we could also do something about the credit reporting system. As you note, we don’t choose to participate. I get the need for it, but wonder if there is a better way. Three companies should be the basis for competition, but I don’t remember getting to choose. Oh wait — we’re not the customer, we’re the product. Perhaps it’s time for the products to rebel?
Rather than trying to protect SSN or reissue new numbers, maybe it make more sense to ensure that SSN can’t be used to commit serious ID theft. After all there are millions of people whose assigned Medicare number is their SSN, and that is a population least able to deal with change. I’d vote for refresher training on the Red Flag rules, which basically put the onus on any entity setting up credit to verify that the person was really who they said they were; maybe require even more verification in light of Equifax. I’d require Equifax to offer free lifetime freeze/unfreeze services (Freezing accounts sharply reduces risk). The IRS (and at least some states, such as Massachusetts) have taken steps to reduce the risk of tax id fraud. Every financial and healthcare related entity I’ve dealt with asks enough questions to ensure that the person on the other end is authenticated.
My concern with FBNA is the same knuckleheads that drive PCI will lobby FBNA. We will end up with 1000 pages of regulations that end up doing nothing except hurt smaller businesses that can’t begin to read them.
Not that I’m sympathetic to the issue. Equifax should be shutdown over this – period. Insider trading of stock, sloooow reporting, and a pathetic response via their miserable website. I love SSN2 and we should be past relying on that number. I even like the idea of a temporary SSN that is used in a two factor kind of way.
A superb source on this mess is Brian Krebs – his latest article is an in-depth follow-up Q&A https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
Not to take away from Bob who throws out some great ideas here. Wish I was more optimistic that Washington would address this mess the right way. Lewis for president in 2020?
My, my wife’s, and my kids data was stolen in the Anthem breach, including the SSN for my (at the time) 15 and 17 year olds. This is an absolute travesty, and absolutely nothing happened to Anthem. (and BTW, why did a company require the SSN of minors???). Of course the criminals should be prosecuted, but Anthem should be prosecuted also.
As a person who is shall we say “on the back 9” of life, I’ve already got the cars and a mortgage, so I can likely manage and survive an identity theft. My 18 and 20 year old children, just coming into the age of using credit to their advantage, may now suffer years of trouble because of the incompetence of Anthem (and maybe now Equifax). I am so concerned for them.
Bob, you are dead on with this column.
The media and the government have thus far been way too sanguine about this. People need to be informed that virtually every American adult is now vulnerable to identity theft, and that we will have virtually no way to prove whether our identities actually are ours. Looks like congressional action will amount to forcing Equifax to extend their “identity theft protection” from one year to three years. Right.
Luckily, some executives managed to sell some stock before it tanked. So they get retired, they will have something besides their multi-million dollar severance package to survive on.
“Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.”
Note also that signing up for the monitoring service gives them permission to install 3rd-party software on your computer. Conveniently they disavow any responsibility for whatever might happen due to the 3rd-party software.
From T&C https://trustedidpremier.com/static/terms:
“THIRD PARTY SOFTWARE. In the event that the Product you are procuring hereunder includes third party software, You acknowledge that Your use of third party software may be subject to the license terms associated with such third party software. TrustedID hereby disclaims any liability or responsibility with respect to any such third party software.”
While one can get one free credit report per year from each credit reporting company, some T&C terms may allow more than that.
“You are entitled to receive a free copy of your consumer disclosure if you are unemployed and intend to apply for employment in the next 60 days, if you are a recipient of public welfare assistance, or …”
Spread the word. All unemployed adults need to think about getting a job in the next two months, and then every two months thereafter. Oh, and then order free credit reports from Equifax every other month.
Hmm. So with SSN 2.0 we’ve got a proposal for rolling out a massive new system that would touch almost every aspect of life for about 300 million Americans…and it’s never even had a proof-of-concept, much less a pilot project to see what problems it solves and what new issues it creates. I wonder, what would the Bob Lewis who says successful large systems are grown out of successful small systems think of that?
Anyway, isn’t the real problem here that the SSN is used as a universal form of authentication, rather than as a universal identifier? My name, address and birth date identify me, and they’re not secret. The trouble is that businesses need to tell whether somebody who uses my name (or SSN) is actually me. SSN 2.0 won’t fix that. It’s just SSN with encryption and unenforceable confidentiality requirements — recycled 1930s technology with a thin, 21st-century candy shell.
Photos, fingerprints and other biometric data are much harder to fake in the real world. Why not use them for authentication instead of a number? (The actual answer is that SSNs, like passwords, are cheap and already in place, and reliable authentication would cost money. But THAT’S no fun to point out…)
I agree with your choice of Equifax as the biggest disaster, and in an ideal would I would love your solution. In our world, I would like to not use my SSN for ID for other than government ID, and to opt out of having my data stored in places I do not select. Probably my bank and credit card number are good places to start with those questions, followed by my medical providers
The problem is your SSN is used as an authenticator, rather than an identifier.
Sort that out first then having these data breaches will be less of an issue.
I don’t think so. The SSN is used as an identifier – you need only look at the database schemas that include it. It’s used as a key. Sometimes the primary key, in fact.
You’re right that in too many situations there’s no authentication process following presentation of a stolen SSN. It would be interesting to devise a way of authenticating it that wasn’t just as prone to data theft as the SSN itself. I’d suggest using the dingus on the back of most credit cards as a model if it weren’t for the ease with which stolen credit card information is used.
Like Jeremy said…using SSN as an authenticator vs an identifier is the problem. Also, too many systems use this information as “Breeder Documents”–things like birth certificates, social security numbers, etc. which have no intrinsic identity tied to them, but create an identity for an individual. For not too much money and a little effort, I can get a birth certificate which allows me to apply for a SSN which when tied together can get me a driver’s license. In no step in the process is identity verified. It is a house of cards.
While many don’t want the government in their business, other countries are demanding their government get it together and rigorously identify and verify individual identities. We don’t have to get rid of SSN, we just have to make sure the SSN presented is really connected to an individual, and biometrics will be the best way to do this.
Comments are closed.